VAE to CADP for C
Prerequisites
Data Security Manager (DSM) is up and running at a supported version. Refer to the DSM documentation for details.
A supported Vormetric Application Encryption (VAE) version is configured with the supported DSM version. Refer to the VAE documentation for details.
CipherTrust Manager is up and running at a supported version. Refer to CipherTrust Manager Deployment for details.
Note
If you are running an unsupported version, upgrade your environment to a supported version before proceeding with the migration. Refer to the corresponding product documentation for upgrade instructions.
Supported Versions
Current Setup
| Product | Version |
|---|---|
| Vormetric Application Encryption (VAE) | 6.4.3.2 or higher |
| DSM | 6.4.5 or higher |
Target Setup
| Product | Version |
|---|---|
| CipherTrust Application Data Protection (CADP) for C | 8.14.0 or higher |
| CipherTrust Manager | 2.13.0 or higher |
Migration Steps
Migrating VAE PKCS11 C Library to CADP for C PKCS11 Library
Disable all key operations on the DSM (except read operations). Refer to the DSM documentation for details.
Migrate your DSM to a supported CipherTrust Manager version. Refer to Migrate from Data Security Manager for details.
Perform upgrade from VAE to CADP for C on client machine. Refer Upgrade from VAE to CADP for C for details.).
Tip
While installing CADP for C, the installer prompts you to confirm backward compatibility. Select 'Yes' or press Enter to accept the default setting. By default, CADP for C works in the default
Legacy VAEmode. This ensures the current VAE configuration is retained to support backward compatibility.Refer to the PKCS#11 configuration for details on supported CADP modes - Legacy VAE and CipherTrust.
Refer to the sample provided in Github and update your application accordingly.
Note
Pkcs11Interop is built on .Net Standard 2.0. For information about the supported frameworks of .NET Standard 2.0, refer to the Microsoft documentation.
Configure CADP for C client with the CipherTrust Manager. Refer to the CADP for C installation for details.
Verify the communication between the CADP for C client and the CipherTrust Manager is successful.
Tip
The above steps are for migration of one client to CADP for C. Similarly, you can migrate your other existing VAE clients to CADP for C.
If you are using .NET Wrapper, then follow the steps to Migrate VAE .NET Framework Wrapper to CADP for C .NET Core Wrapper. If you are using Java Wrapper, then follow the steps to Migrate VAE Java Wrapper to CADP for C Java Wrapper
Migrating VAE Java Wrapper to CADP for C Java Wrapper
From VAE Java Custom Wrapper
The CADP for C installation includes the latest JAR files required to use CADP for C Java Wrapper. Update your application to use the latest JAR files available with the CADP for C installation. No specific migration steps are needed.
Note
It is recommended to migrate and use the CADP for C Java Wrapper if you are using the VAE custom Java Wrapper.
Old VAE Java Wrapper (6.4.3.x) can also be used with CADP C PKCS11 Library.
From Sun Java/IBM Java Wrapper
To migrate from Sun Java/IBM Java Wrapper to CADP for C Java Wrapper, update the import statements in your existing application/sample. Refer to the following table for import statements.
| Replace this statement | With this statement |
|---|---|
| sun.security.pkcs11.wrapper.CK_ATTRIBUTE | com.vormetric.pkcs11.wrapper.CK_ATTRIBUTE |
| sun.security.pkcs11.wrapper.CK_MECHANISM | com.vormetric.pkcs11.wrapper.CK_MECHANISM |
| sun.security.pkcs11.wrapper.CK_SLOT_INFO | com.vormetric.pkcs11.wrapper.CK_SLOT_INFO |
| sun.security.pkcs11.wrapper.CK_VERSION | com.vormetric.pkcs11.wrapper.CK_VERSION |
| sun.security.pkcs11.wrapper.PKCS11 | com.vormetric.pkcs11.wrapper.PKCS11 |
| sun.security.pkcs11.wrapper.PKCS11Exception | com.vormetric.pkcs11.wrapper.PKCS11Exception |
| sun.security.pkcs11.wrapper.PKCS11Constants.* | com.vormetric.pkcs11.wrapper.PKCS11Constants.* |
Migrating VAE .NET Framework Wrapper to CADP for C .NET Core Wrapper
Disable all key operations on the DSM (except read operations). Refer to the DSM documentation for details.
Migrate your DSM keys to a supported CipherTrust Manager version. Refer to Migrate from Data Security Manager for details.
Perform upgrade from VAE to CADP for C on the client's machine. Refer to Upgrade from VAE to CADP for C for details.
After upgrading from VAE to CADP for C, the new .NetCore PKCS11Interop library is available at the default path, mentioned below:
Windows:
<C:\Program Files\CipherTrust\CADP_for_C\wrapper\.NETCore\Pkcs11Interop.dll>Linux:
</opt/CipherTrust/CADP_for_C/wrapper/dotNETCore/Pkcs11Interop.dll>
Perform the following tasks in the application based on the selection of the wrapper:
The changes are already made in above step by installer while upgrading from VAE to CADP for C.
To use CADP for C .Net Core wrapper with VAE samples, perform the following steps:
Task .NET Framework (Old) .NET Core sample (New) Namespace NA using Net.Pkcs11Interop.HighLevelAPI.Factories Create P11 object using (Pkcs11 pkcs11 = new Pkcs11(Settings.Pkcs11LibraryPath, false)) using (IPkcs11Library pkcs11Library =
Settings.Factories.Pkcs11LibraryFactory.LoadPkcs11
Library
(Settings.Factories, Settings.Pkcs11LibraryPath, Settings.AppType))Find first slot with token present Slot slot = Helpers.GetUsableSlot(pkcs11); ISlot slot = Helpers.GetUsableSlot(pkcs11Library); Open RW session using (Session session = slot.OpenSession(false)) using (ISession session = slot.OpenSession(SessionType.ReadWrite)) Replace the references of Class names with Interfaces respectively ObjectHandle, Mechanism,ObjectAttribute IObjectHandle, IMechanism,IObjectAttribute Update Settings NA Refer to Settings.cs to update settings in your application. Add object attribute in list objectAttributes.Add(new ObjectAttribute(CKA.CKA_CLASS, (uint)CKO.CKO_SECRET_KEY)); objectAttributes.
Add(session.Factories.ObjectAttributeFactory. Create(CKA.CKA_CLASS, (uint)CKO.CKO_SECRET_KEY));Create Object handle ObjectHandle createdKey = session.CreateObject(objectAttributes); IObjectHandle createdKey = session.CreateObject(objectAttributes); Create Mechanism mechanism = new Mechanism(CKM.CKM_SHA512); mechanism = session.Factories.MechanismFactory.
Create(CKM.CKM_SHA512);For more details, refer to the sample provided on Github.
a. To use CADP for C .Net Core wrapper with new samples only, download the samples from Github.
b. Add
new Pkcs11Interop.dllavailable at below default location as reference in the application:Windows:
<C:\Program Files\CipherTrust\CADP_for_C\wrapper\.NETCore\Pkcs11Interop.dll>Linux:
</opt/CipherTrust/CADP_for_C/wrapper/dotNETCore/Pkcs11Interop.dll>
For more details, refer to the sample provided on Github.
Update the
CADP_PKCS11.propertiesfile (present in the installation directory) for the configuration settings. Refer to the CADP for C Documentation for details.
Switching Back to VAE
In future, if you want to revert to the VAE installation, run the CADP for C installer with the -e option. This removes the symlink and restores the previous VAE installation.
For example,
./install.sh -e
On windows, if you want to revert to VAE library, then uninstall the current library.
Switching Back to VAE is applicable (for both Linux and Windows) only if you had selected Maintain Backward Compatibility with VAE option as yes during the installation of CADP for C.
Note
If you are reverting back to VAE by uninstalling CADP for C, you need to start vaed service.
